sendnrw/pocket-id
2
0
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2026-05-17 18:39:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

Chagned CSP to allow only values via SetAllowedFormAction

Browse Source
This commit is contained in:
John van der Wulp
2026-03-09 10:03:18 +01:00
parent def2c9264a
commit 1d1a792043
2 changed files with 10 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
backend/internal/controller/oidc_controller.go
View File

@@ -94,17 +94,18 @@ func (oc *OidcController) authorizeHandler(c *gin.Context) {
return
}
// Set the allowed form-action in CSP when response_mode is form_post
if input.ResponseMode == "form_post" && input.CallbackURL != "" {
middleware.SetAllowedFormAction(c, input.CallbackURL)
}
code, callbackURL, err := oc.oidcService.Authorize(c.Request.Context(), input, c.GetString("userID"), c.ClientIP(), c.Request.UserAgent())
if err != nil {
_ = c.Error(err)
return
}
// Set the allowed form-action in CSP after validation (when response_mode is form_post)
// Only set if we have a valid callback URL from the service
if input.ResponseMode == "form_post" && callbackURL != "" {
middleware.SetAllowedFormAction(c, callbackURL)
}
response := dto.AuthorizeOidcClientResponseDto{
Code: code,
CallbackURL: callbackURL,